CVE-2026-39901
Authorization Bypass in monetr Allows Soft-Deletion of Transactions
Publication date: 2026-04-08
Last updated on: 2026-04-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| monetr | monetr | to 1.12.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the monetr application to version 1.12.3 or later, where the issue has been fixed.
Can you explain this vulnerability to me?
This vulnerability exists in the monetr budgeting application before version 1.12.3. It involves a transaction integrity flaw where an authenticated tenant user can soft-delete synced non-manual transactions by using the transaction update endpoint. Normally, the application blocks deletion of these transactions through the standard DELETE method, but this flaw allows bypassing that protection. As a result, protected imported transaction records can be hidden from normal views.
How can this vulnerability impact me? :
The vulnerability allows an authenticated user to hide certain transaction records that should not be deleted. This can lead to inaccurate financial data being displayed or reported, as important imported transactions can be soft-deleted and thus hidden from normal views. This undermines the integrity of budgeting and financial planning within the application.